Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/3JWa0b was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 13:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 13:28
Reported
2024-08-30 13:47
Platform
win10v2004-20240802-en
Max time kernel
1049s
Max time network
433s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/3JWa0b
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff540d46f8,0x7fff540d4708,0x7fff540d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,382843517444334366,2460523417214327163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\" -ad -an -ai#7zMap12511:88:7zEvent16876
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x33c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cold7.gofile.io | udp |
| US | 136.175.8.109:443 | cold7.gofile.io | tcp |
| US | 136.175.8.109:443 | cold7.gofile.io | tcp |
| US | 8.8.8.8:53 | 109.8.175.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 27304926d60324abe74d7a4b571c35ea |
| SHA1 | 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1 |
| SHA256 | 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de |
| SHA512 | f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd |
\??\pipe\LOCAL\crashpad_4444_UHSNZBCGRLGAUDJE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9e3fc58a8fb86c93d19e1500b873ef6f |
| SHA1 | c6aae5f4e26f5570db5e14bba8d5061867a33b56 |
| SHA256 | 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4 |
| SHA512 | e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5af29956ff8f5463a85568d3919e2180 |
| SHA1 | a79ac73cb3dbb4fd96dde5525d30ac1badd6870c |
| SHA256 | 003ea60011f02ee8a2c27fc3d6b0fe9b8f8eddfab878a87ed483711af0c50cb2 |
| SHA512 | 19dfee20be3db07877c129153195c727d46656b6254cc071165b2eea74af71bb33cae31cd061a50bab2c01b87481f6b36f4f9b84c81a168a75d00f3c5210836b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5364e344f0fe66aee7146d51b3b2b013 |
| SHA1 | e6d001bba84e609a4b0d0667cc1463b92114c72c |
| SHA256 | 13293eba3bdd324ff7e4e9526edde01a38df2cc5da23dbf409839e5763c32bed |
| SHA512 | 25e5ae20534e3db6217c48b7c7e306810f6693eba546f493d14af679ef1066a4c061cc8722d55c803349148e84237ac4b4d36d727c02856b965d282ffd8014a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3f7a9f4f15a167d1550e3086e10f6303 |
| SHA1 | aed0d4edffc8d5dfab48a862f5e66fbeef123953 |
| SHA256 | c70d48a9628b24464794c6622b8e237aae2c6f76d3ed2e26726e88029c2be3ae |
| SHA512 | 7629173cab2202df5065e5eb0512a626cf31b4d460f2ab349f078728eefa12e0944d1cc9a0180f686e233677aef2cc865a4eb06c153bb35353821d894f3b82f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bee04ea1c279b9d7c43c0881aaaea88b |
| SHA1 | 9dc200fa78ec3820130d4c6011a57d9003225527 |
| SHA256 | bd24e7b63e1a44d1964bbc8bf3e75438a5bdb61e5a65b99d55c3ae95e7a9a086 |
| SHA512 | adc9c8686c9f298063d779bd8d470352ab30ed67f1a74dbc4d9307581168e6bb54d5d0076e7270049ae6993411086a4762caf4936ca8dae66826520b6d9d4d22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7e5b8a2dd0e29767b8afa50116a76375 |
| SHA1 | 6869f15d38d994c4d5ba1d105f235e67375493fc |
| SHA256 | d3780982097f1f1ec69613b9a07a20456e08c4ccd41621150795963a526ae735 |
| SHA512 | dcf5bc821e1eb33f691d8503a91e6beee5fc0d77b55cfe690588cc23c84e6c70651c1f78cf586d8c4aa880208b7be5c66185329aacdd3fd42d3c1e7c08569962 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 313de748e011605a91e1ad4a792eae32 |
| SHA1 | 126df3c95c5761c209eb3669ea13c1473f784e28 |
| SHA256 | 065e0d36ef2a996002b6e6de376c58e4bf3c737f994ee9b6c3cfa26e9bd4fc36 |
| SHA512 | e707e294a057acfc151a9fde67862a919c1ca5b8c229cdc6e47c3e1c3ed0cd3c6b5f605d3eedcd5c7f9a78c3cf5d17006d8af205d9b609f2a48d1790c26f3d5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e409a1a1e08e73feb5fd11d6f66ddcdf |
| SHA1 | d5180de4164fbe6ccd242c810213e2b1e08b5666 |
| SHA256 | 95a22ff6475f4aa13c8ac653af7d42dab7b10a471cc4c9000186642d79cc958b |
| SHA512 | 92499a4eb68ff8051995815f6dcea69aba9fbcc1ec0cb5b7503620f247e11ee5148fd77e64c1cadf750ecb05b4202c150e0271796415dae8cfbcf8ea4be2fc64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 31faa8489b5c6524fb1620b53a0ecc3d |
| SHA1 | c4c7d737e44abca37fbd209cd9a59e6e3e9d7ea3 |
| SHA256 | ff9e0418f42f85bdd01f9e787d4a5f8bd2942f9bd0b6d463e39b4906c9253668 |
| SHA512 | 7707e0e83781606ee1aa21874052857c69f07a5cacf223fe3fed8e8eea14f8248a2a8054dd2400f195986aef43660150b92a9c7b09a62a5b4e902d1b8e8756ea |
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.1\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config
| MD5 | 15c8c4ba1aa574c0c00fd45bb9cce1ab |
| SHA1 | 0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8 |
| SHA256 | f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15 |
| SHA512 | 52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4 |
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
| MD5 | e6a20535b636d6402164a8e2d871ef6d |
| SHA1 | 981cb1fd9361ca58f8985104e00132d1836a8736 |
| SHA256 | b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2 |
| SHA512 | 35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30 |
memory/2660-567-0x00000000006C0000-0x00000000006E0000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\RVGLib.dll
| MD5 | d34c13128c6c7c93af2000a45196df81 |
| SHA1 | 664c821c9d2ed234aea31d8b4f17d987e4b386f1 |
| SHA256 | aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7 |
| SHA512 | 91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689 |
memory/2660-569-0x000002A8D6F20000-0x000002A8D6F62000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\MonoMod.Backports.dll
| MD5 | dd43356f07fc0ce082db4e2f102747a2 |
| SHA1 | aa0782732e2d60fa668b0aadbf3447ef70b6a619 |
| SHA256 | e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6 |
| SHA512 | 284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e |
memory/2660-571-0x000002A8D6F70000-0x000002A8D6F98000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\MonoMod.ILHelpers.dll
| MD5 | 6512e89e0cb92514ef24be43f0bf4500 |
| SHA1 | a039c51f89656d9d5c584f063b2b675a9ff44b8e |
| SHA256 | 1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0 |
| SHA512 | 9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b |
memory/2660-573-0x000002A8D5740000-0x000002A8D5746000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\Mono.Cecil.dll
| MD5 | de69bb29d6a9dfb615a90df3580d63b1 |
| SHA1 | 74446b4dcc146ce61e5216bf7efac186adf7849b |
| SHA256 | f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc |
| SHA512 | 6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015 |
memory/2660-575-0x000002A8EF930000-0x000002A8EF98E000-memory.dmp
memory/2660-577-0x000002A8EF990000-0x000002A8EF9E6000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\MonoMod.Utils.dll
| MD5 | 79f1c4c312fdbb9258c2cdde3772271f |
| SHA1 | a143434883e4ef2c0190407602b030f5c4fdf96f |
| SHA256 | f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a |
| SHA512 | b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9 |
memory/2660-578-0x000002A8D56C0000-0x000002A8D56C6000-memory.dmp
memory/2660-579-0x000002A8D5720000-0x000002A8D5726000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\MonoMod.Core.dll
| MD5 | b808181453b17f3fc1ab153bf11be197 |
| SHA1 | bce86080b7eb76783940d1ff277e2b46f231efe9 |
| SHA256 | da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd |
| SHA512 | a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3 |
memory/2660-581-0x000002A8EF9F0000-0x000002A8EFA2C000-memory.dmp
memory/2660-582-0x000002A8D6FC0000-0x000002A8D6FDA000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe
| MD5 | 8b7b015c1ea809f5c6ade7269bdc5610 |
| SHA1 | c67d5d83ca18731d17f79529cfdb3d3dcad36b96 |
| SHA256 | 7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e |
| SHA512 | e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180 |
memory/2660-584-0x000002A8F0750000-0x000002A8F1388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/2660-592-0x000002A8F1B90000-0x000002A8F277C000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/2660-594-0x000002A8F0400000-0x000002A8F05F4000-memory.dmp
memory/2660-595-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
memory/2660-597-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\Sounds\Intro.wav
| MD5 | ad3b4fae17bcabc254df49f5e76b87a6 |
| SHA1 | 1683ff029eebaffdc7a4827827da7bb361c8747e |
| SHA256 | e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf |
| SHA512 | 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3 |
memory/2660-599-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-600-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-601-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-602-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-604-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-605-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-606-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-607-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-608-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-609-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-610-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-611-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-612-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-613-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-614-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-615-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-616-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-617-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-618-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-619-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-620-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-621-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-622-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-623-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-624-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-625-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-626-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-627-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-628-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-629-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-630-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-631-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-632-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-633-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-634-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-635-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-636-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-637-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-638-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-639-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-640-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-641-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-642-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-643-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-644-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-645-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-646-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-647-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-648-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-649-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-650-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-651-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-652-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-653-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-654-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-655-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-656-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-657-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-658-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-659-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-660-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp
memory/2660-661-0x000002A8F0200000-0x000002A8F03A9000-memory.dmp